KR102533823B1 - Apparatus and method for interpreting authorizations related to entitlement - Google Patents

Abstract

An apparatus and method for interpreting authorizations related to entitlement is provided. The apparatus is accessible to processing circuitry that executes instructions to perform operations and to the processing circuitry to remember entitlements used to limit at least one operation performed by the processing circuitry when executing the instructions. An arranged qualification storage element is provided. This entitlement specifies, according to the default interpretation, a plurality of N default permissions whose status is determined from the N permission flags provided in the entitlement. According to the default interpretation, each permission flag is associated with one of the default permissions. Processing circuitry is arranged to analyze entitlements according to different interpretations, to obtain, from logical combinations of the N permission flags, status for an extended set of permissions, this extended set consisting of at least N+1 permissions. . This provides a mechanism to encode additional permissions into entitlements without increasing the number of required permission flags, but still retains the desired behavior.

Description

Apparatus and method for interpreting authorizations related to entitlements

The present technology relates to the field of data processing.

There is growing interest in entitlement-based architectures, where specific entitlements are specified for a given process, and an error can be triggered if an attempt is made to perform operations outside of those entitlements. The entitlements can take a variety of forms, but one type of entitlement is a bounded pointer (also referred to as a "fat pointer").

A number of entitlement stores (eg, registers) may be provided to store entitlements for access by processing circuitry of the data processing device. Each entitlement may include a number of permission flags that specify one or more permissions associated with the entitlement, eg, to limit the use of the entitlement to certain types of operation of processing circuitry, certain modes of operation, and the like. Considering, for example, a restriction pointer within such entitlement storage, this, along with one or more permission flags specifying the associated permissions, may specify an unextended range of memory addresses accessible by the processing circuitry. For processing circuitry, steps may be taken to reduce the range and/or clear permission flags associated with any particular limit pointer available to the range, but processing circuitry may not operate within the range in normal operation. cannot be extended or set permission flags, trying to elevate the entitlement provided to the processing circuitry by the corresponding limit pointer.

While it would be desirable to allow the number of permissions associated with an entitlement to be extended, the number of bits used to encode an entitlement is typically limited by, for example, the size of entitlement stores that store the entitlements.

In a first configuration example, processing circuitry that executes instructions to perform operations; and an entitlement storage element accessible to processing circuitry, the entitlement storage being arranged to remember an entitlement used to limit at least one operation performed by the processing circuitry when executing the instructions, the entitlement comprising: specifies, according to a default interpretation, a plurality of N default permissions having a state determined from the N permission flags provided in the entitlement, each permission flag being related to one of the default permissions; Processing circuitry is arranged to analyze entitlements according to different interpretations, to obtain, from the logical combinations of the N permission flags, status for an extended set of permissions, this extended set consisting of at least N+1 permissions. and the extended set of grants includes the plurality of N default grants and at least one additional grant.

In another example configuration, processing circuitry to execute instructions to perform operations, and access to the processing circuitry for use in limiting at least one operation performed by the processing circuitry when executing the instructions. A method of interpreting entitlements associated with an entitlement in an apparatus having entitlements arranged to store an entitlement specifying a plurality of N default permissions for a default entitlement, the method comprising: a state of the default entitlements, according to the default interpretation. providing the N permission flags in the entitlement, such that is determined from the N permission flags and each permission flag is associated with one of the default permissions; and resolving entitlements according to different interpretations to obtain, from the logical combinations of the N permission flags, a status for an extended set of permissions, wherein the expanded set consists of at least N+1 permissions; The extended set of permissions includes the plurality of N default permissions and at least one additional permission.

In a further configuration example, processing means for executing instructions to perform operations; and entitlement storage means for storing entitlements accessed by the processing circuitry and used to limit at least one operation performed by the processing means when executing the instructions, the entitlements having a default interpretation. specifies a plurality of N default permissions with a state determined from the N permission flags provided in the entitlement, each permission flag being related to one of the default permissions according to the default interpretation; The processing means is arranged to analyze entitlements according to different interpretations, in order to obtain, from the logical combinations of the N permission flags, status for an extended set of permissions, this extended set consisting of at least N+1 permissions, , the expanded set of permissions includes the plurality of N default permissions, and at least one additional permission.

In another additional configuration example, a virtual machine computer program composed of program instructions for controlling the host data processing device to provide a command execution environment corresponding to the device of the first configuration example described above is provided. In one embodiment, a computer readable storage medium for storing the virtual machine computer program may be provided.

The technology will be further explained by way of example only with reference to embodiments as shown in the accompanying drawings below:
1 is a block diagram of a device according to an embodiment;
Figure 2 illustrates examples of multiple types of instructions that may trigger an error if an attempt is made to set or access a pointer value within a set of constrained pointer storage elements, where the pointer value is indicated by associated range information. used to designate an out-of-range address;
3 illustrates the use of tag bits in conjunction with constraint pointers, according to one embodiment;
Figure 4 is a diagram illustrating the permission bits, which may be provided in a constrained pointer entitlement according to one embodiment, with a default interpretation of the permission bits;
5 is a flow diagram illustrating how the state of a modifiable permission is determined from permission bits, depending on whether a default interpretation or another interpretation is in use;
6 is a flow diagram illustrating how the state of an executable permission is determined from permission bits, depending on whether a default interpretation or another interpretation is in use;
Figure 7 is a flow diagram illustrating how the state of a special read permission is determined from permission bits, depending on whether a default interpretation or another interpretation is in use;
Figure 8 is a flow diagram showing how the status of a special write permission is determined from permission bits, depending on whether a default interpretation or another interpretation is in use;
Figure 9 is a table schematically illustrating the state of an extended set of permissions, in one embodiment, according to another interpretation, as determined from the execute, read and write permission bits stored in the entitlement;
10 is a state transition diagram showing allowed transitions in the states of the read, write and execute permission bits in one embodiment;
11 schematically illustrates operations performed when executing an address generating command according to an embodiment;
12 schematically illustrates the operation of a branch with link instruction according to one embodiment;
13 schematically illustrates execution of a branch instruction according to one embodiment;
14 illustrates a virtual machine implementation that may be used.

Prior to describing the embodiments with reference to the accompanying drawings, the following embodiments are described.

As mentioned above, there is growing interest in entitlement-based architectures, where specific entitlements are specified for a given process, and an error can be triggered if an attempt is made to perform operations outside of those entitlements. Although several types of entitlements may be specified, one type of entitlement is a constrained pointer (which in one embodiment includes both a range and permission information associated with a pointer value).

A device employing such a qualifications-based architecture will generally have storage elements (also referred to herein as limit pointer stores, or more commonly, qualification stores) used to store the entitlements. The storage elements may be registers (also referred to herein as limit pointer registers or entitlement registers) and/or memory locations in general purpose memory, such as on stack memory. Certain instructions may be used to reference such storage elements to access a desired entitlement, and to perform operations dependent on that entitlement. For example, considering a constrained pointer, execution of such an instruction can cause the constrained pointer to be retrieved and then used to obtain an address in memory requested during execution of the instruction for that pointer value from there. . The pointer value may be used to directly specify the memory address, or may be used to obtain the memory address, for example by adding an offset to the pointer value. Then, if the memory address is within the range specified by the range information and any permissions specified in the permission information are satisfied, the operation will proceed.

Thus, when using constrained pointers, the pointer value itself may point to, or be used to determine, for example, the address of the data value being accessed or the instruction being fetched for execution. However, it may then, for example, ensure that any address accessed is within an acceptable range, and reference the range and permission information accessed for permission purposes. This may be useful, for example, to ensure that an address determined from a pointer remains within certain limits to maintain security or correctness of functional operation. With this solution, it is possible to effectively monitor memory accesses made by the processing circuitry.

In a typical implementation, the state of each permission may be indicated by an associated permission flag within the entitlement, where the flag is set or cleared to specify the state of the corresponding permission. When an authorization flag is cleared, this will typically mean that processing circuitry is to revoke that authorization for that entitlement after the associated authorization is in a clear state. Conversely, when a permission flag is set, this may mean that the associated permission has a set state, so processing circuitry may grant that permission for an entitlement. However, in one embodiment, it may also be necessary to consult other control information before determining whether the processing circuitry actually grants that permission, so that a set state for a permission, such as specified in an associated permission flag, is such that the processing circuitry Depending on any overriding control information, it may also be used to indicate that permission for the qualification has been granted.

It would be desirable to allow an increased number of permits to be specified for individual qualifications, since this solution would improve flexibility in the use of qualifications. However, the entitlement encoding space is typically quite limited. For example, considering the example of a constrained pointer, the constrained pointer qualification is necessary even to be able to specify a pointer value and information representing the associated range, and thus the number of bits left for the specification of permission flags is only an additional permission flag. It may also mean that it is not possible to just continue to add up to entitlement to hear.

Embodiments described herein provide an efficient mechanism for allowing the number of permissions associated with an entitlement to be expanded in such situations.

In particular, in one embodiment, processing circuitry that executes instructions to perform operations, and credentials accessible to the processing circuitry used to limit at least one operation performed by the processing circuitry when executing the instructions. A device having a qualification storage element arranged to store The entitlement may specify, according to a default interpretation, a plurality of N default grants with a state determined from the N grant flags provided in the entitlement. Depending on the default interpretation, each permission flag may be associated with one of the default permissions. Because of this, there may be a 1:1 correspondence between permission flags and default permissions.

However, in accordance with the foregoing embodiments, the processing circuitry is arranged to resolve the entitlement according to another interpretation, in order to obtain, from logical combinations of the N permission flags, status for an extended set of permissions, where the extended set consists of at least N+1 grants.

With this solution, it is possible to expand the number of permissions related to entitlement but without increasing the number of permission flags. Also, the solution provides a very flexible mechanism, since the same permission flags can be used to support both the default and other interpretations. Accordingly, the above qualifications are used in systems that support both the default interpretation and another interpretation, but it is also possible that they are used in systems that support only one of the interpretations. This may also provide backward compatibility, for example by allowing the entitlements to be used in the case of processing circuitry that only supports default interpretations.

The extended set of permissions may take a variety of forms, but in one embodiment may include a plurality of N default permissions, and at least one additional permission. Accordingly, at least one “new” permission can be inferred for entitlement through the use of different interpretations of the N permission flags. This "new" permission may be a permission that has not previously been provided within the entitlement-based architecture, or instead of a permission that can be set or cleared for individual entitlements, a grant that was previously only provided on a more holistic scale. can

In one embodiment, the extended set of permissions includes a modifiable permission that, when in a clear state, specifies that the entitlement is not modifiable by one or more entitlements that modify instructions. By this solution, individual entitlements can be marked as non-modifiable, improving security in certain cases.

In one embodiment, a modifiable permission, when in the set state, causes the N permission flags provided to the entitlement to transition from a set value to a clear value, depending on any invalidation control information that prevents modification. In some cases, invalidation control information may not be present, so the modifiable permission directly indicates that, when in the set state, permission flags may transition from a set value to a clear value. However, in other embodiments, there may be additional control information that needs to be consulted before being able to ascertain that a modifiable permission in the set state actually causes the permission flags to be selectively cleared.

Consistent with convention regarding entitlements, a process whose activities are restricted by a entitlement MAY NOT modify the entitlement in such a way as to restore cleared permission flags to the set value, even when a modifiable permission is in the set state. there is. For this reason, when a modifiable permission is in the set state, this may cause permission flags to transition from a set value to a clear value, but may not cause cleared permission flags to change to a set value.

Although setting a modifiable permission has been described with reference to the ability to change the values of permission flags, the modifiable permission may also affect other fields within the entitlement. When a modifiable permission is in the set state, e.g., along with other mechanisms that prevent the entitlement from being modified, the entitlement may, for example, clear permission flags, decrease limits, and/or change the address of a pointer value. may be modified by a general entitlement that modifies instructions, which may do, in which case the entitlement is called a constrained pointer.

Default permissions can take a variety of forms, but in one embodiment, one or more memory accesses specifying that, when in the clear state, no entitlement is used in one or more memory access operations to access data in memory. permissions and, when in the clear state, an executable permission that specifies that the entitlement not be used to fetch instructions from the memory when forming a program counter entitlement. Thus, these default permissions can be used to restrict operations that attempt to access memory address space.

The one or more memory access permissions may take a variety of forms, but in one embodiment, at least one write permission specifying whether the entitlement is not to be used to perform at least one type of write operation to memory, and at least one write permission from memory. at least one read permission, which specifies that the entitlement is not to be used to perform a read operation of this type. Accordingly, separate permissions may be provided for a read operation and a write operation, and in practice multiple write permissions and/or multiple read permissions may be designated. The use of multiple permissions can be performed, for example, when a write operation or a read operation executes certain types of instructions, but when the processing circuitry is operating in some modes but not others. It may be used to specify that it cannot be executed when executing other types of instructions, and/or may specify that availability to read or write depends on the information being read or written. For example, separate read permission and write permission may be specified for situations where the information being read or written is its own entitlement, or is instead a standard data value.

In embodiments where the default permissions include an executable permission and the expanded set of permissions includes at least the addition of the previously described modifiable permissions, according to different interpretations of the N permission flags, an executable permission and a modifiable permission and It is also possible not to qualify both sides of the set at the same time. Instead, certain transitions in the values of the permission flags may cause an executable permission to transition from a set state to a clear state and a modifiable permission to change from a clear state to a set state, and vice versa.

In one embodiment, the N permission flags are at least one write bit, at least one read permission, each having values specifying the state of at least one write permission, at least one read permission, and execute permission, according to the default interpretation. bits and run bits. In one such embodiment, according to another interpretation, processing circuitry is arranged to determine that a modifiable permission is set when at least one write bit is set or an execute bit is cleared. This provides a great deal of flexibility when specifying where modifiable permissions are set for a particular entitlement.

According to the default interpretation, there is typically a 1:1 correspondence with the default permission associated with each permission flag, but in one embodiment, this is not the case when interpreting permission flags according to other interpretations. Instead, logical combinations of permission flags are used to determine the state of at least one of the default permissions when another interpretation is in use.

For example, in one embodiment, according to another interpretation, processing circuitry is arranged to determine that an executable permission is in the set state when the execute bit is set and all of the at least one write bit is cleared. Thus, according to another interpretation, to determine that an executable permission is set, it is not sufficient for the execute bit to be set, but instead any write bits provided in the entitlement also need to be cleared. This provides a particularly efficient encoding that allows an extended set of permissions to be encoded within the available N permission flags, since, in general, a set of write permissions and a set of executable permissions for the same area of memory Since it is considered undesirable to qualify both sides of , and according to the proposed encoding, this option is prevented.

In one embodiment, read permission is interpreted using additional information as well as associated read bits when using other interpretations. In particular, for each read grant, subject to different interpretations, processing circuitry is configured to determine that a read grant is in the set state when the associated read bit is set, a modifiable grant is in the set state, or the entitlement is in use as a program counter entitlement. may be placed. In general, therefore, it is necessary to have the modifiable permissions set in order for any read permission to be granted, according to another interpretation. However, selective readability may also be given in one particular embodiment where the entitlement is non-modifiable, particularly where the entitlement is being used as a program counter entitlement. In that example, the entitlement may be marked as an executable, non-modifiable entitlement, but in special circumstances may be allowed to read and the entitlement may be in the program counter entitlement depending on the associated read bit.

In an interpretation other than the default interpretation, changes to permissions occur by transitioning the state of permission flags. As noted earlier, when granting permission to a process to change a entitlement, it is common that it can only change the entitlement in a way that infers additional constraints, rather than in a way that relieves the entitlement's constraints. Regarding permissions, this means that, in general, it is only possible to clear rather than set permission flags, so transitions in permissions occur through clearing one or more of the permission flags. According to another interpretation, since logical combinations of permission flags are used to determine the state of various permissions, it is possible that clearing one or more permission flags causes at least one of the permissions to move to the set state. For example, a modifiable permission can be moved to the set state by clearing the run flag.

Also, a transition in the value of certain permission flags may be related to the processing of certain commands. For example, in one embodiment, processing circuitry may be arranged to clear an execute bit within the result entitlement in response to executing an address generation instruction to generate a result entitlement from a program counter entitlement. This can lead to some interesting behavioral changes, which can be very useful in practice. For example, it may mean that an executable but non-modifiable entitlement in use as a program counter entitlement may be used to generate a result entitlement stored in a general purpose entitlement register and then modifiable. It may also be readable thereafter, eg, depending on one or more read permission bits. In particular, when, in one embodiment, the program counter entitlement causes the execute bit to be set and all of the at least one write bit to be cleared, clearing the execute bit in the result entitlement causes the contemplated result entitlement, according to another interpretation, to be: Put that modifiable permission into the set state and put each read permission into the state indicated by the associated read bit.

As another example of how permissions may be managed when executing one or more special types of instructions, processing circuitry, in response to executing a branch with a link instruction, modifiable permissions are cleared within the program counter entitlement. state, may generate the return address entitlement from a program counter entitlement such that it has its modifiable permissions in the clear state. By this solution, it is possible to write return address credentials that are non-modifiable, thereby improving security.

In one embodiment, the device may have one or more general purpose entitlement storage elements and one program counter entitlement storage element. In one such embodiment, an entitlement stored in one of the one or more general entitlement stores causes the execute bit to set, causes the read bit of at least one of the read bits to set, and causes all of the at least one write bit to clear. When so, the processing circuitry is constrained, according to another interpretation, to only use that entitlement to form a new program counter entitlement stored in the program counter entitlement store. However, if the entitlement is stored in the program counter entitlement store, then the new program counter entitlement, according to another interpretation, is considered to have in the set state each read permission that has an associated read bit set, so that a literal value to be read by processing circuitry from memory. Thus, a task can be assigned a entitlement that can only be used to branch at the appropriate time when executing a branch instruction, and therefore that entitlement can only be used as an entry point into another routine. However, when a branch occurs and the entitlement is loaded into the program counter entitlement, then that other routine references the entitlement in other ways, e.g. using load instructions that reference the program counter entitlement to generate an address. to allow literal values to be read from memory.

In one embodiment, the processing circuitry may be arranged to always use a different interpretation. However, further embodiments may provide configuration storage elements that store configuration values used to indicate which interpretation, other than the default interpretation, to apply in the processing circuitry. Thus, this provides a mechanism that allows switching between the default and other interpretations over time, as desired.

The above permissions may be associated with several different types of entitlement used by the device, but in one embodiment the entitlement is a constrained pointer, and the entitlements are used to control usage by processing circuitry of the pointer value specified in the entitlement. do.

Hereinafter, specific embodiments will be described with reference to the drawings.

1 schematically illustrates an example of a data processing device 20 having a processing pipeline 4 for processing instructions. In this example, the processing pipeline 4 includes a fetch stage 6, a decode stage 8, an issue stage 10, an execute stage 12 and a write back stage ( 14), but it will be appreciated that other types or combinations of stages may be provided. For example, a rename stage that performs register renaming may be included in some embodiments. Instructions being processed move from stage to stage, and while an instruction is in progress in one stage another instruction may be in progress in a different stage of the pipeline 4 .

The fetch stage 6 fetches instructions from the level one (L1) instruction cache 20. The fetch stage 6 may typically fetch instructions sequentially from consecutive instruction addresses. However, the fetch stage may also have a branch predictor 22 that predicts the outcome of branch instructions, and the fetch stage 6 may, if it predicts that a branch has been taken, from a (out-of-sequence) branch target address, or If it is predicted not to be taken, instructions can be fetched from the next sequential address. Branch predictor 22 may include one or more branch histories that store information for predicting whether particular branches are likely or unlikely to be taken. For example, the branch history tables may include counters that track the actual results of previously executed branches or express confidence in predictions made for branches. Branch predictor 22 also includes a branch target address cache (BTAC) 24 for caching target addresses of previous target addresses of branch instructions so that they can be predicted for subsequent encounters of the same branch instructions. can also be provided.

The fetched instructions are passed to the decode stage 8, which decodes the instructions and generates decoded instructions. The decoded instructions may include control information for controlling the execution stage 12 to execute appropriate processing operations. For some more complex instructions fetched from the cache 20, the decode stage 8 may map the instructions to a number of decoded instructions, which may be known as micro-operations (μops or uops). . Thus, there may not be a one-to-one relationship between instructions fetched from the L1 instruction cache 20 and instructions as seen by later stages in the pipeline. In general, references to “instructions” in this application should be interpreted as including micro-operations.

The decoded instructions are passed to an issue stage 10 which determines if the operands required for execution of the instructions are available and issues instructions for execution when the operands are available. Some embodiments may support sequential processing, such that instructions are issued for execution in an order corresponding to the program order in which they were fetched from the L1 instruction cache 20 . Other embodiments may support out-of-order execution, such that instructions may be issued to execution stages 12 in an order different from their program order. Out-of-order processing can be useful for improving performance because earlier instructions are paused while waiting for operands, but later instructions in program order with operands available can be executed first.

The issue stage 10 issues instructions to the execution stage 12, and the execution stage 12 executes the instructions to perform various data processing operations. For example, the execution stage may include an arithmetic/logic unit (ALU) 30 for performing arithmetic or logic operations on integer values, a floating point unit (FP) for performing operations on values expressed in floating point form. unit 32, and load operations to load a data value from the level 1 (L1) data cache 36 into the register 40 or store operations to store a data value from the register 40 to the L1 data cache 36. It may have a plurality of execution units 30, 32, 34 consisting of a load/store unit 34 for executing. It will be appreciated that these are just some examples of the types of execution units that may be provided and many other types may also be provided. To perform the processing operations, the execution stage 12 may read data values from a set of registers 40 . The results of the executed instructions may then be written back to the registers 40 by the write-back stage 14.

The L1 instruction cache 20 and the L1 data cache 36 may be part of a cache hierarchy that includes multiple levels of caches. For example, a level two (L2) cache 44 may also be provided, and optionally additional levels of cache may be provided. In this example, the L2 cache 44 is shared between the L1 instruction cache 20 and the L1 data cache 36, but other examples may have separate L2 instruction and data caches. When the instruction being fetched is not in the L1 instruction cache 20, it may be fetched from the L2 cache 44, similarly if the instruction is not in the L2 cache 44 it may be fetched from main memory 50 . Similarly, in response to load instructions, data may be fetched from the L2 cache 44 if it is not in the L1 data cache 36 and is fetched from memory 50 if needed. Any known scheme may be used to manage the cache hierarchy.

The addresses used in the pipeline 4 to reference program instructions and data values may be virtual addresses, but at least main memory 50 and optionally at least some levels of the cache hierarchy may be physically addressed. . Accordingly, a translation lookaside buffer 52 (TLB) may be provided to translate virtual addresses used in pipeline 4 to physical addresses used to access the cache or memory. For example, the TLB 52 stores a virtual page address of a corresponding page in the virtual address space and a corresponding physical page address to be mapped to convert virtual addresses in the page to which the virtual page address corresponds to physical addresses, respectively. It may be provided with a number of entries to designate. For example, the virtual address and the physical page address may correspond to the uppermost part of the corresponding virtual and physical addresses, and the remaining lowermost part at this time remains as it is when mapping the virtual address to the physical address. In addition to address translation information, each TLB entry may also contain some information specifying access permissions, such as indicating whether particular pages of addresses are accessible in particular modes of pipeline 4. In some embodiments, TLB entries specify which levels of the cache hierarchy are updated in response to a read or write operation (eg, whether the cache should operate in a write-back or write-through mode). Corresponding page of addresses, such as policy information or information specifying whether data accesses to addresses in the corresponding page can be relocated by the memory system compared to the order in which the data accesses were issued in pipeline 4. Other characteristics of could also be specified.

1 shows a single level TLB 52, the hierarchy of TLBs is such that a level 1 (L1) TLB 52 contains TLB entries for translating addresses in a number of recently accessed pages. It will be appreciated that the configuration may be such that a 2 (L2) TLB may be provided for storing entries for a greater number of pages. When the requested entry is not in the L1 TLB, it may be fetched from the L2 TLB, or from additional TLBs in the layer. If the requested entry from which the page is accessed is not in either of those TLBs, a page table walk may be performed to access the page tables in memory 50 . Any known TLB management technique may be used in the present technology.

Also, some systems have, e.g., a first TLB (or hierarchy of TLBs) is used to translate virtual addresses into intermediate addresses, then a second level of address translation using one or more additional TLB(s) is performed to the intermediate addresses. It will be appreciated that it may support multiple levels of address translation, such that addresses may be translated to physical addresses used to access cache or memory. This may be useful, for example, to support virtualization where a first level of address translation may be managed by the operating system and a second level of address translation may be managed by a hypervisor.

As shown in FIG. 1 , the device 2 may have a set of limit pointer registers 60 . Although the set of limit pointer registers are shown in FIG. 1 as being physically separate for the set of general data registers 40, in one embodiment the same physical storage is used for the general purpose data registers and the limit pointer registers. It may be used to provide both.

Each constrained pointer register 60 contains a pointer value 62 that may be used to determine the address of the data value being accessed, and range information 64 specifying a range of addresses allowed when using the corresponding pointer 62. includes Restrictions pointer register 60 may also contain restrictions information 66 (also referred to herein as permission information) that may specify one or more restrictions/permissions regarding the use of the pointer. For example, the restriction information 66 could be used to limit the types of instructions that may use the pointer 62, or the modes of the pipeline 4 in which the pointer may be used. Accordingly, the scope information 64 and limit information 66 may be considered to specify the qualifications for which the pointer 62 to use is permitted. When attempting to use the pointer 62 outside of the specified qualifications, an error may be triggered. The extent information 64 may be useful, for example, to ensure that pointers are within certain known limits and do not stray into other areas of the memory address space that may contain sensitive or secure information. In an embodiment where the same physical storage is used for both the general purpose data registers and the limit pointer registers, in one embodiment the pointer value 62 is in the same storage location as used, e.g., in the corresponding general purpose register. may be remembered in

Figure 2 illustrates an example of the types of commands that protect against unauthorized access to data or commands using permissible scopes. As shown at the top of Fig. 2, the special limit pointer register PR1 has, in this example, a lower bound address 68 specifying the lower bound of the permissible range and an upper bound specifying the upper bound of the permissible range. It contains a given pointer value (62) and range information (64), specified using an address (69). For example, the lower address 68 and upper address 69 are set to specify the range of addresses 80000 to 81000. Faults may be triggered when certain instructions refer to the limiting pointer register PR1 and the address determined from pointer 62 is outside this range.

For example, as shown in part A of FIG. 2, in some systems an error sets the value of pointer 62 in pointer register 60 to a value outside the range specified by range information 64. If there is an attempt to do so (here, it is assumed that the pointer directly designates an address), it may be started. This avoids that the pointer 62 takes any value outside the specified range so that any accesses using the pointer can be safely guaranteed to be within the allowed range. Or, as shown in part B of FIG. 2, a fault may be triggered when an instruction attempts to access a location specified by the address of its pointer 62 when that address is outside the specified range. Thus, while it may still be permissible to set the pointer 62 to a value outside the specified range, if an attempt is made to access data at a pointer address (or an address derived from the pointer), an error will occur if the address is outside the permitted range. It may be activated if present. Other systems may trigger faults in response to both the types of commands shown in parts A and B of FIG. 2 .

Range information 64 and permissions information 66 can be set in different ways. For example, security code, or an operating system or hypervisor, may specify scopes and permissions given a given pointer. For example, an instruction set architecture may include a number of instructions for setting or modifying range information 64 and/or permissions 66 for a given pointer 62, the execution of which may be performed using specific software or It may be limited to specific modes or exception levels of the processor 4. However, in addition to, or as an alternative to, the privilege-based mechanism for modifying entitlements, in the embodiments described herein, modifiable permissions may be obtained for individual entitlements. Thus, in one arrangement example, the ability to modify a credential may depend on whether modifiable permissions for that credential are set or whether the process attempting to modify the credential has the required privilege. Alternatively, it may be required that the modifiable permission is in set and that the process attempting to modify the credential has the required privilege before allowing the credential to be modified.

A program counter qualification (PCC) register 80 is stored in the level 1 instruction cache 20, as well as a set of limiting pointer stores 60 that may be used by the execution stage 12 when executing certain instructions that reference the pointer. It may also be used to provide similar functionality in the fetch stage 6 when fetching instructions. In particular, the program counter pointer may be stored in field 82, where PCC 80 provides range information, similar to the range and limit information provided to each of the pointers in the set of limit pointer storage elements 60. (84) and any suitable limiting information (86).

Any particular range of memory addresses specified by a limit pointer in the limit pointer register may contain data, instructions, and/or other entitlements (ie, other limit pointers). Accordingly, the ability of the processing circuitry to access memory at any point in time is one, consisting of the entitlements specified in the constrained pointer registers and any additional entitlements accessible via entitlements maintained in the constrained pointer registers. It will be noted that it is specified by a set of entitlements, which will be referred to herein as a entitlement domain.

The range information specified in the PCC register 80 and any associated limits may be set in a variety of ways. However, in one embodiment, that information is determined using one or more of the limit pointers available to the processing circuitry in the current entitlement domain to determine the memory address range(s) specified for that current entitlement domain. A memory address cannot be accessed using PCC-based limit checks outside of

Fig. 3 schematically illustrates how tag bits are used to specify, in relation to individual data blocks, whether they represent entitlement (i.e., restriction information associated with a restriction pointer) or ordinary data. . In particular, the memory address space 110 will store a series of data blocks 115, which will generally be sized. For simplicity of explanation, it is assumed that each data block consists of 128 bits in this example. Associated with each data block 115, in one example, the associated data block is set to specify that it represents an entitlement, and the associated data block is cleared to indicate that it represents normal data, so that it can be treated as an entitlement. tag field 120, which is a single bit field called a tag bit. Although the actual value associated with a set or clear state may vary from embodiment to embodiment, simply as an illustration, in one embodiment, if the value of the tag bit is 1, it indicates that the associated data block is eligible, and the value of the tag bit If is 0, it will be seen that it indicates that the associated data block has normal data.

When loading a entitlement into one of the limit pointer registers 60 (herein referred to as entitlement register), such as entitlement register 100 shown in FIG. 3, the tag bit moves along with the entitlement information. Accordingly, when entitlement is loaded into entitlement register 100, pointer 102, range information 104 and limit information 106 (hereinafter referred to as permission information) will be loaded into entitlement register. Additionally, associated with, or as a unique bit field within, a corresponding entitlement register, a tag bit 108 may be set to specify that the content represents an entitlement. Similarly, when an entitlement is stored back in memory, the corresponding tag bit 120 will be set associated with the block of data in which the entitlement is stored. By this solution, it is possible to ensure that ordinary data cannot be used as a qualification, as distinguishing between qualification and normal data.

As discussed above, individual entitlements may be associated, but it would be desirable to increase the number of grants without exploding the number of required grant flags. In particular, the encoding space within entitlements is often sparse, and there may not be enough space to add more permission flags for each additional permission that might be desirable to encode.

Figure 4 is an example of permission flags that may be provided in an existing entitlement, taking a restriction pointer as an example. Restricted pointer qualification 150 includes a pointer field 155 that stores a pointer value and a range field that stores range information to specify an allowable range of addresses that may be accessed using the pointer value in pointer field 155. (160). A number of permission fields 165 can then be provided to store one or more permission flags. In the above described embodiment, each permission flag can take the form of a single bit value that can be set or cleared. For the purposes of the foregoing embodiments, entitlement 150 has one or more write permissions, one or more read permissions, and an executable permission, and a number of permission bits are fields ( 165) will be provided. Accordingly. Considering the situation that in general there may be C different write permissions and B different read permissions, C write permission bits W ₀ to W _C-1 may be provided, and B read permission bits R ₀ to R _B-1 may also be provided. Each read or write permission may be associated with a particular type of operation or a particular mode of operation of the processor, or in fact different permissions may be associated with different types of information being accessed, e.g. different write permissions and read permissions may be associated with the accessed It may be set according to whether the information itself is a qualification or a normal data value. For simplicity of explanation, it is assumed that there are multiple read and write permission bits associated with corresponding read and write permissions, but in other embodiments there may be a single read permission and a single write permission, where the read and the state of write permissions is represented by a single read permission bit and a single write permission bit.

Further, as shown in FIG. 4, additional permissions may be encoded within the entitlement, such that, for example, an executable permission may be indicated by the value of an associated execute (X) bit.

According to the default interpretation of the permission bits in permission fields 165, each permission bit is associated with a corresponding permission, and therefore directly specifies the state of that associated permission. This is further illustrated in FIG. 4 . Accordingly, if the permission bit W _i is set, this indicates that write permission i is in the set state, and thus the pointer value in field 155 is the address for a write operation of type i according to any invalidation control information. can be used to specify Similarly, if permission bit R _j is set, this means that since read permission j is in the set state, the pointer value can be used to specify an address for a read operation of type j, according to any invalidation control information. . Finally, if the execute bit X is set, this means that since the executable permission is set, the pointer value can be used to specify the address from which to fetch instructions, again according to any invalidation control information.

Conversely, if the associated permission bit is cleared, this means that the associated permission is revoked for the entitlement and therefore accesses of the type associated with that permission cannot be performed using the associated entitlement.

In the embodiments described below, the same permission bits are maintained, but they may be interpreted differently to obtain status for an extended set of permissions. In particular, according to another interpretation, logical combinations of permission bits are used to specify the state of an incremented set of permissions. In one embodiment, the augmented set of permissions includes the write, read, and executable permissions described as an example with reference to FIG. 4, namely all of the permissions available according to the default interpretation of the W, R, and X permission bits, but , as well as at least one additional permission may be obtained from the values of its W, R and X permission bits. In particular, in one embodiment, a modifiable permission is provided in association with the entitlement, without any additional permission bits needing to be specified.

The manner in which the status of a modifiable permission is determined from the permission bits described above in one embodiment is described with reference to the flowchart of FIG. 5 . In step 200, it is determined whether another interpretation is in use, and if not, this means that the default interpretation is applied, and the process branches to step 205. According to the default interpretation, there are no modifiable permissions. Instead, the ability to modify arbitrary entitlements will be specified everywhere by control information and not on a per entitlement basis using permission bits within each entitlement.

However, if another interpretation is in use, the process proceeds to step 210 to determine if at least one of the W bits is set. If so, the process proceeds to step 220 to determine that the modifiable permission is in the set state. To this end, this means that an entitlement can be modified by certain entitlement modification commands unless other control conditions prevent the modification. For example, there may be some generic invalidation control information that means that a particular entitlement is not modifiable even if the modifiable permission determined from the permission bits indicates not to be prevented from being modified.

If step 210 determines that none of the W bits are set, then step 215 determines if the execute bit is cleared. If that enable bit is cleared, this also indicates that the modifiable permission is set, and the process branches accordingly to step 220. However, if the enable bit is set, then the process proceeds to step 225 where it is determined that the modifiable permission is in the clear state. When a modifiable permission is in the clear state, this means that the associated entitlement cannot be modified. Accordingly, this may allow individual entitlements to be marked as non-modifiable, thereby improving security within a entitlement-based architecture.

It also enhances flexibility when using different interpretations, since it is possible to change the values of certain permission bits within an entitlement to change from a modifiable state to a non-modifiable state. Also, under certain circumstances, it may be possible to convert non-modifiable entitlements to modifiable entitlements, eg, through the use of specific address generation instructions, as discussed below by way of example with reference to FIG. 11 .

When using the default interpretation, according to the other interpretations, there was a 1:1 correspondence between individual permission bits and associated permissions, but this is not the case, and logical combinations of permission bits may be used to determine the state of particular permissions. do. Figure 6 illustrates, for example, how the status of an executable permission can be evaluated depending on whether a default interpretation or another interpretation is in use.

At step 250, it is determined whether the processing circuitry is using a different interpretation. If not in use, step 255 determines if the execute (X) bit is set. If so, the process proceeds to step 270 to determine that the executable permission is in the set state, whereas if not set, the process proceeds to step 275 to determine that the executable permission is in the clear state.

However, if it is determined that another interpretation is in use, the process proceeds to step 260 to determine if the X bit is set. If not set, the process proceeds to step 275 where it is determined that the execute permission is in a clear state. However, if the X bit is set, this in itself does not necessarily mean that the executable permission is set; instead, step 265 performs an additional check to determine if all W bits provided in the entitlement have been cleared. do. Note that if there are multiple W bits in the entitlement, all of those W bits need to be checked in step 265 to determine if they are all cleared. If and only if all of the W bits are cleared, then the process proceeds to step 270 to determine that the executable permission is set; otherwise, the process proceeds to step 275 to determine that the executable permission is set. will determine that is in the clear state.

Returning to step 265, it will be appreciated that determining at step 265 that all of the W bits are cleared is equivalent to determining that the modifiable permission is in the clear state, since from FIG. 5 any of the W bits are set. Because it will be recalled that in case the modifiable permission will be in the set state. Thus, in the embodiment described with reference to Figures 5 and 6, it will be appreciated that only one of the executable and modifiable permissions may be in a set state at any point in time.

Figure 7 is a flow diagram illustrating how the status of any one of the read permissions may be evaluated depending on whether a default interpretation or another interpretation is in use. In step 300, it is determined whether another interpretation is in use, and if not in use, in step 305, it is determined whether the associated R permission bits have been set. If in use, step 325 determines that the read permission is in the set state, whereas otherwise, step 330 determines that the particular read permission is in the clear state.

However, if another interpretation is in use, the process proceeds to step 310 to first determine if the associated read permission bit is set for that read permission. If not set, the process proceeds directly to step 330 where it is determined that the read permission is in a clear state.

However, if the corresponding read permission bit is set, this does not mean that it is immediately determined that the read permission is set; instead, one or more additional confirmations are required. Initially, at step 315, it is determined whether a modifiable permission is in the set state. In one embodiment, this does not necessarily require an immediate re-evaluation of the modifiable permission; instead, this check may be performed with reference to the W and X bits. In particular, from the foregoing description of FIG. 5, it can be seen that a modifiable permission will be determined to be in the set state when at least one write bit has been set or an execute bit has been cleared, so that verification may be performed in step 315. will be.

If it is determined that the modifiable permission is in the set state, the process proceeds to step 325 where it is determined that the corresponding read permission is in the set state. However, if the modifiable entitlement is not set, step 320 performs an additional check to determine if the entitlement is currently in use as a program counter entitlement. If in use, even if no modifiable permission has been set, step 325 determines that the corresponding read permission is set. Accordingly, certain non-modifiable entitlements may be viewed as having at least one readable permission set when the entitlements are in the PCC register 80.

If it is determined at step 320 that the entitlement is currently in use as a program counter entitlement, the process proceeds to step 330 where it is determined that the read permission is in a clear state.

Figure 8 is a flow chart showing how any particular write permission is evaluated in one embodiment. As indicated by box 350, in the above-described embodiment, write permissions are interpreted in exactly the same way regardless of whether a default interpretation or another interpretation is in use. Specifically, step 355 determines if the associated write permission bit is set, and if so, step 360 determines that the special write permission is set, whereas otherwise, step 365 determines that the special write permission is in the clear state. judged to be in

From the above description of Figures 5-8, it can be seen that the status of one or more write permissions, one or more read permissions, an executable permission, and a modifiable permission can all be determined using the existing W, R, and X permission bits encoded within the entitlement. You will know that it can be decided. As no additional modifiable permission bits need to be added, that additional modifiable permission can be encoded into the entitlement without the need for any additional permission bit encoding space.

Figure 9 is a table describing the state of the four aforementioned different types of grants according to the X, R and W bits. In this example, for ease of explanation, it is assumed that there is only one read permission and one write permission, so that there is only a single R bit and a single W bit.

In the more general case, as can be seen from the flowcharts of FIGS. 5-8, when determining the state of a modifiable permission and an executable permission (and indeed a readable permission if it depends on whether a modifiable permission is set): A logical OR operation and an AND operation will need to be performed on multiple W bits as part of the process of evaluating whether the permissions are in the set or clear state.

10 is a state transition diagram illustrating how, when an entitlement is marked as modifiable, individual permission bits can be changed from a set value to a clear value to cause a transition in the state of one or more of the permissions. Also, for ease of explanation, there is only a single W permission bit and a single R permission bit, but in the more general case where there are multiple R permission bits and multiple W permission bits, the R permission bits and It is said that each of the W permission bits may be independently cleared.

As shown by initial state 400, each of the R, W and X bits may initially be set to a logical one value. As is evident from FIG. 9 , this means that the entitlement is non-executable but modifiable, allowing both read and write operations. Since the entitlement is modifiable, individual permission bits can be cleared if desired. By clearing one bit, it is possible to transition to either state 405, 407 or 409. In state 407, the R and W bits remain set, but the X bit is cleared, and in state 409, the W and X bits remain set, but the R bit is cleared. Referring again to FIG. 9 , it will be appreciated that states of both states 407 and 409 correspond to states in which modifiable permissions are set. However, state 405 (where the R and X bits are set, but the W bit is not) corresponds to the state where the modifiable permission is in the clear state, i.e. the entitlement is not modifiable.

Figure 10 shows a number of possible other transitions that can occur, such as individual permission bits being cleared. For ease of explanation, the direct transition from state 400 to state 412, or from state 400 to state 416, is omitted, although in one embodiment these transitions are also possible. It should be noted that states 412 and 414 are static states in which the entitlement is modifiable, but state 410 is another state in which the entitlement is nonmodifiable. While state 416 is in principle modifiable, it represents a condition in which all of the permission bits are cleared, such that a process restricted by the entitlement will not be able to further change the permissions within the entitlement. In some embodiments, state 416 may be determined to be an unused state.

Since states 405 and 410 in FIG. 10 represent situations where the entitlement is nonmodifiable, this would be seen to prevent further transitions from those states. However, as indicated by the "ADR" symbol used in connection with transitions 420 and 425, in one embodiment, execution of an address generation instruction may cause the transitions indicated by paths 420 and 425 to occur. This will be further explained with reference to FIG. 11 .

As shown in FIG. 11, an address generating instruction may specify the general qualification register C _N as the destination register, and also reference an integer register whose content specifies the source operand as an immediate value within the instruction, or as an offset value. So, it may be specified. When this address generation instruction is executed, the program counter entitlement in the PCC register 80 is used as the source entitlement 450. Pointer value 465 is extracted from PCC 450 and subjected to logical operation 460 in combination with the source operand. This may include, for example, adding the immediate value to the pointer value to generate the result value 470, where the address generating instruction specifies an immediate, or this, for example, offsets the pointer value In this case, the corresponding offset is obtained by referring to an integer register, again generating a result value 470. The scope and permission information is then copied across to the result entitlement 455 essentially unchanged, except for the X bits. In particular, when an address generating instruction is executed, the X bit value is cleared in the result entitlement. Thus, this enables the two transitions 420 and 425 shown in FIG. 10 . Specifically, in both cases, an executable, non-modifiable entitlement 450 in the PCC is used to create a non-executable but modifiable result entitlement 455. This provides a particularly interesting effect for transition 420, where PCC 450 was executable and non-modifiable, only readable when in PCC register 80, but resulting from qualification qualifications. 455 is now modifiable and fully readable (as evident from comparing state "010" and XRW state "110" shown in FIG. 9).

12 illustrates the operation of a branch with a link command according to one embodiment. As shown in Figure 12, two separate processes are involved in the execution of the branch with the link instruction. First, the return address entitlement 517 is generated from the current program counter entitlement 500 . In one embodiment, this will generate a return address pointer 515, including the extracted pointer value 505 and the instruction size added to that pointer value via an add operation 510. Then, all of the range and permission information will be copied across to the return address entitlement, which in one embodiment is stored in the entitlement link register (CLR). The CLR can be provided in a variety of ways, but in one embodiment is a special one of the general purpose entitlement registers, eg C ₃₀ . Since the effective program counter entitlement 500 will be executable and non-modifiable, this provides improved security by ensuring that the return address entitlement cannot be manipulated before being used as a return address, since the return address entitlement is also unmodifiable. it means.

If the return address entitlement has been generated, the contents of the entitlement register C _N 520 are copied to the PCC register 80, or form a new program counter entitlement 525. When appropriate, a return instruction can be executed to return from that branch, at which point the PCC will be updated with the contents of the CLR. Since the CLR entitlement was non-modifiable, this would ensure that the corresponding return address entitlement was not tampered with in the interim period.

Figure 13 is a diagram schematically illustrating how the establishment of non-modifiable entitlements in the general entitlement register can be used to provide a process with entitlements that can only be used as entry-point entitlements when executing a branch instruction. In particular, the entitlement 550 sets its X bits, clears all of its W bits, and sets at least one R bit, as indicated by box 565. As is evident from FIG. 9 discussed above, this means that, in essence, the entitlement is non-modifiable, executable (relevant only when the entitlement is placed in the PCC register 80), and only when the entitlement is in the PCC register 80. means readable. Thus, within the general entitlement register C _N , this entitlement 550 is neither readable nor writable, and is non-modifiable. Therefore, it can only use that entitlement given to the process given as entitlement capable of being loaded into the PCC via a branch instruction.

When the branch instruction is then executed to load the contents of entitlement register C _N into PCC register 80, accordingly the X, W and R bits corresponding to those in fields 565 of source entitlement 550 ( Program counter entitlement 560, with 570, is updated. Although none of the X, W, and R permission bits have changed, since the entitlement is now a program counter entitlement, the entitlement is executable, allowing instructions to be fetched, but of any type for which the corresponding R bit is set. It is also readable for read operations.

This means that “literals” can be read from memory using PCC 560. For example, a load instruction may be used to designate an address obtained from the PCC as the source address, and the result at this time is stored in one integer register of the integer registers Xn. When obtaining the address from the PCC 560, if the address is within the allowable range and the type of the read operation sets the associated R permission bits, the load operation loads literal data from the obtained address and It can be performed to store the data in register Xn.

In one embodiment, the processing circuitry may be arranged to always use a different interpretation. However, other instances of processing circuitry may use the same qualifications, but interpret them according to the default interpretation, since the mechanism described herein does not involve any change in the permission bits used, This is because it provides backward compatibility to existing systems that use the default interpretation.

In another embodiment, the processing circuitry may be selectively switchable using a default interpretation to another interpretation and vice versa, and as shown in FIG. 1, configuration bits 90 are the control information of the processing circuitry. It may be provided as part, and the value of the configuration bit at this time determines whether the processing circuitry is using the default interpretation or another interpretation. Setting that configuration bit may be limited to a particular type of code running on the processing circuitry. For example, the security code, or operating system or hypervisor, may be arranged to change configuration bits under certain circumstances.

14 illustrates a virtual machine implementation that may be used. Although the foregoing embodiments implement the invention in terms of apparatus and methods for operating specific processing hardware supporting related technologies, it is also possible to provide so-called virtual machine implementations of hardware devices. These virtual machine implementations run on a host processor 630 that runs a host operating system 620 that supports the virtual machine program 610 . Typically, very powerful processors are needed to provide a virtual machine implementation that runs at a reasonable speed, but such a solution is desirable in certain situations, such as for compatibility or reuse purposes, to run code specific to another processor. may be justified in some cases. The virtual machine program 610 may be stored in a computer-readable storage medium (which may be a non-transitory medium), and an application to be provided by the actual hardware that is the device modeled by the virtual machine program 610. An application program interface (command execution environment) is provided to the application program 600 such as a program interface. The techniques described above for interpreting entitlement grants may be implemented within a virtual machine environment. For example, software that runs on or controls a virtual machine may use hardware that implements these features.

The embodiments described above provide a mechanism to encode one or more additional grants into entitlements without consuming separate grant bits. Logical combinations of existing permission bits may be used to enable an extended set of permissions to be encoded. In one embodiment, this involves reusing redundant encodings to avoid wasting rare permission bits to encode one or more additional permissions, but still retains the desired behavior. Also, the monotonically decreasing permission model holds. In particular, regardless of whether the default interpretation or other interpretation is used, a process constrained by an entitlement can only change from a set value to a clear value when the entitlement is specified as modifiable, so that a process bounded by an entitlement is set to a set state. , cannot restore any permission bits that are cleared in the entitlement.

In one particular embodiment, the additional grant that is added allows modifiable entitlements to be expressed in terms of entitlement units, as they are modifiable grants. This can improve flexibility and security within entitlement-based systems. Optionally, a modifiable grant may be used to return a modifiable grant to entitlements generated by branch and link instructions, for example, to generate non-modifiable return addresses, and/or to compute a PC relative address (ADR). ) instructions may change the behavior of certain instructions used to generate entitlements from entitlements held in the PCC register, including but not limited to removing executable permissions from entitlements generated by the entitlements.

Also, certain useful actions can be accommodated by selectively clearing permission bits. For example, clearing all of the write permission bits from an entitlement that sets its X permission bit changes the entitlement from modifiable and non-executable to non-modifiable and executable. As another example, clearing an execute permission bit, e.g., through the use of an ADR instruction, from a entitlement that sets at least one readable permission bit can make the entitlement unmodifiable, non-readable, modifiable, and Change to readable.

Also, in embodiments where the optional configuration bit 90 is used, the effects of the modifiable permission may be disabled by inverting the processing circuitry to a default interpretation in which each of the individual permission bits has an associated permission and , there are no combinations of those permission bits that prevent the entitlement from being modified. When using this default interpretation, modifying the entitlements will typically allow any constraints to be expressed on a more global scale, typically by reference to some general control information, for example.

By using a different interpretation, which uses logical combinations of permission bits to specify the state of an extended set of permission bits, this allows stronger (more constrained) permissions to be used, rather than requiring an exponential increase in the number of permission bits used. to be specified in relation to the qualifications of

In this application, the words "configured to..." are used to mean that an element of a device has a configuration capable of performing the operations specified above. In this context, “configuration” means the arrangement or manner of interconnection of hardware or software. For example, the apparatus may have dedicated hardware to provide the operations specified above, or a processor or other processing device may be programmed to perform the functions. “Configured to” does not imply that the device element needs to be modified in any way to provide the specified operation.

Although embodiments of the present invention have been described in detail with reference to the accompanying drawings, the present invention is not limited to specific embodiments, and changes, additions and It can be seen that modifications can be carried out in several ways. For example, various combinations of features of the dependent claims and features of the independent claims may be made without departing from the scope of the present invention.

Claims (21)

processing circuitry that executes instructions to perform operations; and
Apparatus accessible to processing circuitry having entitlement storage arranged to remember an entitlement used to limit at least one operation performed by the processing circuitry when executing the instructions, the entitlement in a default interpretation. thus specifying a plurality of N default permissions having a state determined from the N permission flags provided in the entitlement, each permission flag being related to one of the default permissions according to the default interpretation;
Processing circuitry is arranged to analyze entitlements according to different interpretations, to obtain, from the logical combinations of the N permission flags, status for an extended set of permissions, this extended set comprising at least N+1 permissions. under,
wherein the expanded set of grants includes the plurality of N default grants and at least one additional grant.
delete According to claim 1,
when the grant has a set state, the processing circuitry has the corresponding grant for the entitlement granted according to any invalidation control information, and when the grant has a clear state, the processing circuitry has the corresponding grant revoked for the entitlement; Device.
According to claim 1,
wherein the expanded set of permissions includes a modifiable permission that, when in a clear state, specifies that an entitlement is not modifiable by one or more entitlements that modify instructions.
According to claim 4,
wherein the modifiable permission, when in a set state, causes the N permission flags provided to an entitlement to transition from a set value to a clear value according to any invalidation control information that prevents modification.
According to claim 1,
The plurality of N default permissions are:
one or more memory access permissions that specify, when in the clear state, that the entitlement not be used in one or more memory access operations to access data in the memory; and
An apparatus comprising: an executable permission specifying that when in a clear state, when forming a program counter entitlement, the entitlement is not to be used to fetch instructions from memory.
According to claim 6,
The one or more memory access permissions include at least one write permission specifying whether the entitlement is not to be used to perform at least one type of write operation to memory, and the entitlement to be used to perform at least one type of read operation from memory. An apparatus comprising at least one read permission specifying whether to disable.
According to claim 4,
includes an executable permission specifying that, when the plurality of default permissions are in a clear state, the entitlement is not to be used to fetch instructions from memory when used as a program counter entitlement;
According to the different interpretations of the N permission flags, both the executable permission and the modifiable permission are ineligible in the set state.
According to claim 8,
The plurality of default permissions include at least one write permission specifying whether the entitlement is not to be used to perform at least one type of write operation to memory, and the entitlement not to be used to perform at least one type of read operation from memory. further comprising at least one read permission specifying whether or not to disable;
The N permission flags are at least one write bit, at least one read bit, and execute bit, each having values specifying the state of at least one write permission, at least one read permission, and execute permission, according to a default interpretation. contains;
According to another interpretation, the processing circuitry is arranged to determine that a modifiable permission is in a set state when at least one write bit is set or an execute bit is cleared.
According to claim 9,
According to another interpretation, the processing circuitry is arranged to determine that an executable permission is set when an execute bit is set and all of the at least one write bit is cleared.
According to claim 9,
For each read grant, according to another interpretation, the processing circuitry is arranged to determine that the read grant is in the set state when the associated read bit is set, a modifiable grant is in the set state, or the entitlement is in use as a program counter entitlement. , Device.
According to claim 9,
wherein the processing circuitry is arranged to, in response to executing an address generation instruction to generate a result entitlement from a program counter entitlement, clear an execute bit within the result entitlement.
According to claim 12,
When the program counter entitlement causes the execute bit to be set and all of the at least one write bit to be cleared, clearing the execute bit in the result entitlement is such that the supposed result entitlement, according to another interpretation, sets its modifiable permission to the set state. and each read permission to the state indicated by the associated read bit.
According to claim 9,
Processing circuitry, in response to executing a branch with a link instruction, when a modifiable permission is cleared in the program counter entitlement, returns address entitlement from the program counter entitlement to have its modifiable entitlement clear. generating the return address entitlement.
According to claim 9,
at least one additional entitlement storage element, in combination with the entitlement storage element, forming one or more general purpose entitlement storage elements and a program counter entitlement storage element;
processing circuitry when an entitlement stored in one of the one or more general purpose entitlement stores causes an execute bit to set, causes read bit of at least one of the read bits to set, and causes all of the at least one write bits to clear; is, according to another interpretation, limited to forming a new program counter entitlement stored in the program counter entitlement storage element using only the entitlement;
Once the entitlement is stored in the program counter entitlement store, the new program counter entitlement is, according to another interpretation, considered to have, in the set state, each read permission that has an associated read bit set, so that literal values are transferred from memory to the processing circuitry. A device that enables reading by a device.
According to claim 1,
and a configuration storage element for storing a configuration value indicating which of an interpretation different from a default interpretation is to be applied in the processing circuitry.
According to claim 1,
A device in which an entitlement is a constrained pointer and permissions are used to control usage by processing circuitry of the pointer value specified in the entitlement.
Processing circuitry that executes instructions to perform operations, and a plurality of N default permissions accessible to the processing circuitry for use in limiting at least one operation performed by the processing circuitry when executing the instructions. A method of interpreting permissions associated with an entitlement, comprising a entitlement storage element arranged to store a specified entitlement, the method comprising:
providing N permission flags in the entitlement such that, according to the default interpretation, the state of the default permissions is determined from the N permission flags and each permission flag is related to one of the default permissions; and
resolving entitlements according to different interpretations to obtain, from the logical combinations of the N permission flags, a status for an extended set of permissions, the extended set comprising at least N+1 permissions;
wherein the expanded set of grants includes the plurality of N default grants and at least one additional grant.
processing means for executing instructions to perform operations; and
Apparatus comprising entitlement storage means for storing entitlements accessed by processing circuitry and used to limit at least one operation performed by processing means when executing said instructions, said entitlements according to a default interpretation: specifies a plurality of N default permissions with a state determined from the N permission flags provided in the entitlement, each permission flag being related to one of the default permissions according to the default interpretation;
The processing means is arranged to analyze entitlements according to different interpretations, in order to obtain, from the logical combinations of the N permission flags, status for an extended set of permissions, this extended set consisting of at least N+1 permissions, ,
wherein the expanded set of grants includes the plurality of N default grants and at least one additional grant.
A virtual machine computer program stored in a computer-readable storage medium, including program instructions for controlling a host data processing device to provide a command execution environment corresponding to the device according to claim 1. delete

Images